How to Secure Your Linux Server: A Detailed Guide

If you’re one of the millions of business owners that uses Linux, you already know that Linux servers are cost-effective, versatile, and supremely flexible due to their open-source nature. Linux provides community cooperation and shared resources, especially for small business owners, making it a primary and popular choice for lots of enterprising entrepreneurs.

That all said, Linux being open source also means that it has security risks and vulnerabilities. You need to know how to secure your Linux server both to protect your business and the data of your customers as you expand your brand. Let’s take a closer look at how you can secure a Linux server in a variety of different ways.

Update Your Linux Server

Before you do anything else, you should make sure your Linux server is up-to-date and as modern as possible. Regularly updating your Linux server is key to maintaining good digital defenses and strong server security – note that this tip is also true for any cyber security element, like a firewall, antivirus software, and so on.

Your Linux server might update automatically. But if you aren’t sure whether this is the case, or you want to update your Linux server manually, you have two options:

·         Use the Update Manager in Linux, which searches for updates and notifies you if any are available automatically. All Linux distributors or distros have a GUI or graphical user interface that enables you to update your Linux server quickly and easily

·         Use the Linux terminal, which is the main terminal through which you can enter commands and manually update your system

Want to follow the second route? You can do that by accessing the Linux server at local repositories, then applying the latest patches.

·         On Debian and Ubuntu, use the following patch in the command line: $ sudo apt update && sudo apt upgrade -y

·         On RHEL, CentOS, or Fedora, use the following patch: $ sudo dnf upgrade

Once your Linux server is updated, it will be responsive to all the modern cybersecurity techniques and tools you want to use. It’ll also be inherently a little more secure against discovered security threats, like malware intrusions or “back doors.”

Note that some Windows or Mac computers may not allow new Linux distributions or updates to functionality because of their age. Therefore, make sure you only install a new Linux system on a relatively new or modern PC.

Make a Privileged User Account for Modifications

Most business owners and administrators avoid using the root access terminal when logging into their Linux servers. That’s because the root login terminal, while powerful, is also risky if you don’t know what you’re doing; just entering one wrong command or a typo can destroy or decimate your server and its data. Thus, any root users need to know what they’re doing and how to do things like open ports, etc.

That’s why it’s much smarter to make a user account with Sudo privileges. Such privileged accounts enable users like you to use root commands without actually implementing those commands into the root terminal, thereby reducing the above-mentioned risk.

Fortunately, creating a new privileged user account for higher Linux server security is fairly straightforward.

·         First, create a new user by typing – $ adduser <username>

·         Next, give that user sudo rights by entering the following code – $ usermod -a -G sudo <username>

Once this is done, you’ll have created a new user profile on your Linux server, but that profile will have system administrators privileges and permissions. You can go forward using that profile for all your other digital upgrades and any other commands or controls you want to implement. Think of it as giving yourself the keys to the digital kingdom.

Implement a Password or SSH Key

Passwords and SSH keys are also popular ways to secure a Linux server. This is an important step after setting up a new account with privileges and administrative access; otherwise, anyone can access that profile and make changes to your server without your agreement.

A password is a strong security measure for both Linux servers and all other digital platforms, like firewalls, databases, etc. Luckily, Linux makes it easy for you to set up and/or edit a system password using the terminal. Just choose a password that you like, then enter it.

A word of advice: try to make a strong Linux password that can’t easily be guessed. A good rule of thumb is to make a password that includes at least one uppercase and lowercase letter each, one number, and one symbol at minimum, with a minimum number of characters, like 12. That way, even a brute force attack will have a hard time getting through your password defense, and people won’t be able to guess your password even if they know something about you.

Have trouble remembering passwords? Use a password manager or simply write the password down in a secure area that only you can access, like inside your safe.

Securing an SSH Key

In addition to setting up a password, you should also set up and SSH key. An SSH server key lets you access your server securely and safely without having to enter a password. Thus, it’s a good choice if you have difficulty remembering passwords or don’t have a password manager.

You don’t have to come up with an SSH key from scratch. Instead, you can use the Linux terminal to generate a new SSH key, then upload the key to your server using this command:

·         $ ssh-copy-id <username>@ip_address

Before moving on, you’ll need to secure your SSH key by:

·         Disabling SSH password authentication

·         Restricting root access via logging in remotely. This prevents anyone from logging into your Linux server (and administrator profile) from afar

·         Restricting access to both IPv4 and IPv6

Sound complex? It’s not! Simply open up /etc /ssh /sshd_config using any text editor, like Microsoft Notepad, then take a look at the following lines:

·         PasswordAuthentication yes

·         PermitRootLogin yes

See the “yes” next to both of those lines? They need to be “nos” instead. So go into your text editor and change it so the lines look like this:

·         PasswordAuthentication no

·         PermitRootLogin no

Your next step is to then restrict the SSH service to IPv4 or IPv6. You can do that by modifying the AddressFamily line, again located in the text editor of your choice. We recommend switching it so it only uses IPv4, which should work for the majority of business owners. Make sure the line reads as follows:

·         AddressFamily inet

Be sure to restart your SSH service so the changes are enabled. Otherwise, you’ll have to go back in and make the modifications once more. To do this, follow the steps based on the type of Linux server you’re using:

·         Ubuntu – $ sudo service sshd restart

·         Fedora, CentOS, or any type using Systemd – $ sudo systemctl restart sshd

Once that’s done, your SSH key is uploaded to your Linux server and you can always log into your Linux server without having to type in a password. Still, it’s good to utilize both security measures just in case. This is a bit technical, but it will go a long way toward showing up your digital defenses for your Linux server across the board.

Install a Linux Firewall

Firewalls are tried-and-true methods of protecting databases and servers alike from all kinds of cyber hazards, like malware attacks. Therefore, you should always ensure your Linux server has a firewall installed. Fortunately, there are lots of open source firewalls you can install and implement depending on your preferences.

Note that there are some differences between different firewalls, however. For instance, some firewalls allow outgoing traffic but prevent any incoming traffic from affecting your server whatsoever. That prevents apps from reaching your server but still lets you access the Internet. Other firewalls may allow limited access or enable some server use from select individuals.

The best choice for most is UFW or Complicated Firewall. This firewall can be configured to only let in network traffic that you personally approve. Install UFW with the following code:

·         $ sudo apt install ufw

Once that’s installed, UFW will deny any incoming network connections but allow outgoing network traffic. Thus, the next step is to ensure you can login through enabling access to SSH, HTTP, and HTTPS, respectively, with the following codes:

·         $ sudo ufw allow ssh

·         $ sudo ufw allow http

·         $ sudo ufw allow https

Be sure to enable UFW itself once these settings are implemented with, “$ sudo ufw enable”. If you ever want to disable your firewall for one reason or another, simply use the command, “$ sudo ufw disable”.

 You’ll also want the firewall to update regularly for new security updates. Ensure that your chosen firewall has web server access to accomplish this.

Note that depending on your distribution, you might already have firewall-cmd installed and integrated. Still, UFW is a good firewall to take advantage of for added protection.

Limit Any Unneeded Linux-Facing Services

Every Linux server version will come with at least a few network facing services. While most of these should be kept, you may wish to remove some to minimize network vulnerabilities. This is true for any unwanted apps and packages, of course; if you enable a service and barely use it, it just represents a potential way into your server from a motivated threat actor.

First, look at the network services your Linux server runs through this command: “$ sudo ss -atpu”. Depending on your operating system, the output can differ. But if you see a service you want to remove because you don’t use it, use the below commands depending on your server type:

·         Ubuntu/Debian – $ sudo apt purge <service_name>

·         CentOS/Red Hat – $ sudo yum remove <service_name>

Once that’s done, run the ss -atup command again in order to verify that those unused services are no longer running on your Linux server.

Only Install Necessary Third-Party Packages

Linux, being open-source, doesn’t limit how many third-party packages or additions you can install. While lots of these can be fun, useful, or even apparently necessary, some come with baked in security concerns that can cause problems for business owners.

With this in mind, be sure to only install server packages that you are sure you will use regularly and that have good security reputations. Research different server packages to determine whether previous or current users have had any breaches or vulnerabilities due to those packages or if they have any other concerns.

Use Fail2ban

Fail2ban is a server log application that checks your server for any automated and/or repeated digital attacks. The usefulness of this app is obvious, especially if you think your business may be targeted by bad actors for one reason or another.

If Fail2ban discovers any repeated or automated attacks, it will automatically alter your firewall in order to block the IP address of any attacker(s). Fail2ban blocks those IP addresses permanently or for a certain amount of time depending on your preferences.

Sound useful? Good! To install Fail2ban, type in the following command code:

·         $ sudo apt install fail2ban -y

Next, you’ll want to copy this configuration file:

·         $ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then restart Fail2ban to ensure that it sets up properly on your Linux server:

·         $ sudo service fail2ban restart

Once you input that command, Fail2ban should be set up and running in no time. It will alert you to login attempts from remote servers as part of its intrusion detection services, plus allow access control so you can adjust your config file or server as needed. With Fail2ban running, unauthorized access will be much less likely.

Fail2ban will run continuously and examine log files to look for attacks. Once Fail2ban runs for a few weeks, you’ll find that it build up a list of banned IP addresses, which shows just how well it works.

What if you need to remove an IP address that was improperly banned? Check the current status of Fail2ban’s SSH service with the following command:

·         $ sudo fail2ban-client status ssh

Use Two-Factor Authentication

Two factor authentication or 2FA is another stable cyber security strategy. In short, two factor authentication means using more than one means of determining someone’s identity before permitting them access to a server, data, or control set.

For example, when you access your bank account, your bank may use two factor authentication by asking both for a password and for the answer to a security question only you know. Two factor authentication is helpful for security access since it imposes another barrier to entry, making it harder for hackers to gain access to sensitive systems.

You can set up two factor authentication on your Linux server by simply installing an authentication package. This is definitely one of the necessary packages mentioned above! When you set up the appropriate package, anyone who tries to access your Linux server will have to offer extra authentication or proof of identity in addition to your password. If you already have a strong password, the eyes of someone having both pieces of information are low.

Depending on the package you choose, the extra layer of authentication might be a secret code, a QR code, or some other identifying data point. The authentication code could be displayed on a device like a phone or tablet or elsewhere using authentication software.

Like with all third-party packages, be sure to research different 2FA packages so you install the best one for your needs and the one that has the best reputation for maximum security.

Wrap Up

In the end, securing your Linux server is an ongoing process. While you should take the above steps, you should also keep abreast of evolving security threats and tutorials so you can continue to implement new digital defenses as they’re developed. Good luck!

Stop Responding to Threats.
Prevent Them.

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles